UDP Flood issue (Zywall USG 100)
Freshman Member
Hello. Today internet works slow. I noticed, that CPU overload (98%) and the Active session list is full too.
I visited log and saw a lot of ADP records:
I visited log and saw a lot of ADP records:
from Any to ZyWALL, [type=Flood-Detection(8910002)] UDP Flood UDP Flood Action: Block Severity: medium <FLOOD IP:PORT> <MY EXTERNAL IP> ACCESS BLOCK
In the ADP profile I turned logging off and decreased the threshold from 1000 to 500:
In the Firewall menu, I turned on Session limit for 300 second and 50 Sessions per Host In the Session control tab:
But unfortunately, the session pool didn't decrease and the CPU still overload too. Now in the log menu I have list of blocked IP addresses:
What is your suggestion? How to refuse or refuse or stop this attack?
0
Accepted Solution
-
I solved this issue!!!I appreciate your help and suggestions!I just turned ON the checkbox "Firewall" thus, port 53 closed automatically, and the active session pool became in a normal state!
0
All Replies
-
Short UDP Sessions to 30 seconds as a test.Which destination ports are involved? You obscured the destination IP, maybe the "bogey" it's inside that IP address?0
-
set Sessions per Host to 0
also disable UDP flood
If your truly being DDoS not much you can do about it...I would hope the USG makes way for LAN to WAN sessions.
0 -
Thank you for your answer:mMontana said:Short UDP Sessions to 30 seconds as a test.Which destination ports are involved? You obscured the destination IP, maybe the "bogey" it's inside that IP address?
The source port is 53, involving just 2 destination IPs: it is my external IP that provided me 2 ISP providers. I decided to hide it for security reasons.0 -
I logged in my ZyWall and saw 50% of active sessions and 95% CPU.PeterUK said:set Sessions per Host to 0
also disable UDP flood
If your truly being DDoS not much you can do about it...I would hope the USG makes way for LAN to WAN sessions.
When I Disabled UDP flood and set Sessions per Host to 0 - The session become increasing to 70%.
I enforced to set up previous settings like on screenshot.0 -
-
Zyxel_James said:
Actually, the ADP feature already blocks the attack for you, but as @PeterUK said, it's not much we can do to stop it if you're attacked by UDP flood.Thank you for your answer. Also, I wonder about ADP policies. I have 5 rules, maybe I can optimize it?
0 -
Also, I see 53 port of both ISP IPs under attack.I tested my external IP via site: https://www.openresolver.nl/ and it wrote "good" - No open resolver on IPv4 result.Maybe I should check 53 port settings?
0 -
Also as an additional feature I set up firewall to drop UDP DNS (53 port) due to this article: https://community.zyxel.com/en/discussion/9768/abnormal-udp-traffic-detected-source-port-is-zero-drop-port53 but it doesn't release active session pool...0
-
If your sure its from or to a given port (or by IP) and its low bandwidth you could put a managed switch in front of the USG and drop packets by ACL0
-
Oh no... I check 53 port is open, OMG! Using this service: https://www.yougetsignal.com/tools/open-ports/But I can't see this record in my firewall rules...I see two rules that block DNS_UDP and DNS_TCP ports.
How to close 53 port?
0
Guru Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
